Hi every one this is SMRUTI today am going to gives a short description on OAuth 2.0 authorization protocol.
OAuth 2.0 is developed by the IETF OAuth Working Group, published in October 2012.
So before going to discuss about OAuth 2.0 letís discuss something about Enterprise security which is the basic fundamental of implementing any security.
Let us discuss some basic terminology which are use very commonly while implementing any web application security these are
Authentication, Authorization, Data Integrity and Confidentiality.
So here am just give short description on these terminology
Authentication: Authentication is nothing but it is a process of validating or identifying the user thatís why user must and should provides its username and password.
Authorization: Authorization is nothing but process of validating access permissions or we can say that access scope area of an user. That means Authorization provides the information whether a particular resource is permittable for accessing by a specific user or not based on the roll of the user.
Data Integrity: Data Integrity is the process of ensuring that whatever the data transfer in between the client to server should not be changed during transformation by implementing the Secure Socket Layer(SSL).
Letís discuss what is SSL?
During the business on the web there may be chance of hacker might be steal our sensitive data related to customer like customer bank id, password etc. thatís why SSL comes into picture SSL stands for Secure Socket Layer. Itís a standard security technology, which is used for communication between user and server based on some encryption format and in server side it dis-encrypted user information like username, password, card information etc. SSL is a secured gateway through which an user can send his/her sensitive information in secured way. SSL is implemented in million website for protecting online transaction and customer information. SSL is used for encrypted the user credential and business credential. SSL is the world strongest encryption mechanism which is provides a critical layer of security. The SSL promises us ďprotect your customer and protect yourselfĒ.
Confidentiality: Confidentiality is the process of ensuring that no one except intended user is able to understand our information this confidentiality can be achieve by data secrecy or by using some encryption mechanism.
Along with that there are several authentication mechanisms are there:
BASIC, DIGEST, Form-based, Https client-cert.
Here am just giving short information on these authentication mechanisms.
Because before going to OAuth you must and should have some little bit knowledge on authentication mechanism.
BASIC is an authentication mechanism which is provided by HTTP 1.1.
It is the most simplest and commonly used Authentication mechanism.
DIGEST AUTHENTICATION MECHANISM:
It is exactly similar to BASIC AUTHENTICATION MECHANISM except the password is sending in encrypted format, which makes it more secured compare to BASIC.
FORM-BASED AUTHENTICATION MECHANISM:
This mechanism is exactly similar to Basic authentication mechanism, but only difference is instead of depending on browser's dialog box, we can provide our own login form. Developer is responsible for provide login and error pages, so that we can customize LOOK according to our requirement.
HTTPS CLIENT-CERT AUTHENTICATION MECHANISM:
This is most secure authentication mechanism and it is most commonly used in real time. HTTPS means Http over secure socket layer.
Lets discuss what OAuth 2.0? why everyone is using it in internet?
OAuth 2.0. is basically
an open standard for access delegation, it is not for authentication only it is
also for access delegation basically it delegate your authentication information
some other source. Itís an Authorization standard.
When we access a secured application it first verify our identity by login us and then it ensure that we access only that data and functionality of the application which we are authorized for, so the basic requirement are identity and permission or authentication and authorization.
OAuth is an authentication and authorization standard which allow an application to gain the access to user data in an another application without knowing the user id and password at all at the second application.
Here the user which is using the application A and application A wants some data which is Application B has which is related for the user. Instead of user sharing his user id and password of application B with A through OAuth the application A will redirect he request to application B for login and from that point of time Application B has shared a security token with the Application A using which these two application are communicate with each other, and application A will get all the required information related to an user from application B has.
take an example our most popular website ďSriman
java groupĒ suppose you are reading some article or blog kind of thing and
you are interested to give your opinion or some comments on comment section to
do this Sriman java group wants you
as an end user you authenticate yourself first by logging in, instead of you
register yourself in Sriman java group, the
Sriman java group used services provided
by google+ and facebook because most of us has a facebook account and google+
login, that why Sriman java group people
redirect to you a google+ or facebook login page and after the visitors login
itself then google+ and Sriman java group will communicate and share the user credential. This is the process of one application using the other application to login or to authenticate is called federated authentication, which is one of the important part of OAuth standard.
Sriman java group registers with google+ and facebook and gets a client ID.
When the user is accessing or trying to comment on any Blog or article of our Sriman Java Group it will redirect him to the google+ or facebook website, and goole+ will generate a client id(like client id=Sriman java group) and state(state=123456089) which is unique code and atomic in nature which is Sriman java group generate and which is current session state of the user. So when access comes back to the Sriman java group when user login it will put the user back to this particular session state and the final parameter which is URL which google redirect to Sriman java group, once the authentication is completed.
Then user enter the login information in the google page then google with authenticates him and redirects back to the using this URL(http://srimanjavagroup.com/state=485693567&code=121212) along with the state which is Sriman java group has forwarded as one of the query parameter and along with the code which is google generate.
Sriman Java Group- code=121212ŗgoogle
And then Sriman Java Group take that code from the state and send one more http request to the google, and google return back a unique token and from that token Sriman Java Group will send any number of request to the google to get the user information and the user allow to access Sriman Java group on facebook or google.
ŗThe one more important terminology is delegated Authorization
Lets say you use a site for file your income tax retains on online and at the end of the day it produces a bunch of tax retain documents which it allow to save in your google drive.
You as an end user you share your google username and password with the tax website, you redirect this tax website by using OAuth to google login page and will enter your google username and password and from that point the tax website is able to access your google drive through google security token and it only access your google drive not your google mail, photos and google docs. This process of authorization is called delegated authorization.
The current version of OAuth is OAuth 2.0, which is very popular version.
OAuth defines some
standard rules thatís why any application can be a part of that flow to do the
federator authentication and delegated authorization.
ŗdata access without sharing username and passwords within every application.
There are four different roll in entire OAuth lifecycle
1. Resource owner
2. Resource server
4. Authorization server
ŗThis is all available implementation of OAuth in
various languages. In java there is an implementation of spring security and Apache-CXF
has a complete support for OAuth 2.0.
Smruti Prakash Nayak